I am exploring the amazon KMS managed service and it seems secure for storing the Master key and Data key. I am able to decrypt the data key as plain text from encrypted data key using AWS KMS API / CLI.
But I have one concern, to access the amazon KMS for decrypting the data key, I need to pass the access token and encrypted data key.
so Where can I securely store the amazon access token and encrypted data key?
Any thoughts are appreciated.
Thanks,
Harry
I need to pass the access token and encrypted data key.
Indeed, you need authenticate and authorize the client before calling any AWS service.
Maybe you could elaborate what you mean by amazon access token. Actually you need to store access key and access secret and optionally a (temporary) session token to properly authorize the service. I assume under the "amazon access token" you mean the client credentials.
Where can I securely store the amazon access token and encrypted data key?
For the data key - the encrypted data key may be stored/sent along the data (if you generate a new key for each encryption) or as a configuration (if you plan to reuse the key), that's already safely encrypted.
If your client (code using the KMS) is running on the AWS infrastructure, you may use service roles to allow access from a service to the KMS service without storing the identity credentials explicitly. This is the default (and best) way if the client runs on AWS too.
If you are accessing the KMS services from outside AWS, you application needs to have the client credentials. As already commented, in theory you may use a Secret Manager as well, but then you need credentials to access that service anyway.